===================================================================== CERT-Renater Note d'Information No. 2004/VULN099 _____________________________________________________________________ DATE : 10/03/2004 HARDWARE PLATFORM(S) : IBM. OPERATING SYSTEM(S) : AIX 4.3.3. ====================================================================== =========================================================================== VULNERABILITY SUMMARY VULNERABILITY: Vulnerability in rexecd may allow root access PLATFORMS: AIX 4.3.3 SOLUTION: Apply the APAR listed below. THREAT: A remote attacker may gain root privileges. CERT VU Number: n/a CVE Number: n/a =========================================================================== DETAILED INFORMATION I. Description =============== A vulnerability was discovered in the rexecd daemon that may allow remote user to gain root privileges. This vulnerability can cause user information of the connecting user to be potentially be overwritten with that of another user. The connection would proceed with the overwritten data and the connecting user would then have the privileges of the other user. This may be dependent on the type of authentication defined for the connecting user. It is possible, but not certain, that the connecting user may gain root privileges. Note that this only applies to AIX 4.3.3. rexecd ships as part of the bos.net.tcp.client fileset. To determine if this fileset is installed, execute the following command: # lslpp -L bos.net.tcp.client This vulnerability is in filesets 4.3.3.91 and below. II. Impact ========== A remote attacker may gain root privileges. III. Solutions =============== A. Official Fix IBM provides the following fixes: APAR number for AIX 4.3.3: IY53507 NOTE: Affected customers are urged to upgrade to 5.1.0 or 5.2.0 at the latest maintenance level. B. Workaround The rexec daemon runs under the control of the inetd daemon. To disable the rexecd daemon, as root enter: # smitty rminetdconf Scan through the list of subservers. If rexecd is not listed it is not enabled. If it is listed, place the cursor on the name and press enter. To make the change effective enter: # refresh -s inetd IV. Obtaining Fixes =================== AIX Version 4.3.3 and Version 5 APARs can be downloaded from the eServer pSeries Fix Central web site: http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp Security related Emergency Fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security V. Acknowledgements =================== This document written by Kent Stuiber. VI. Contact Information ======================== If you would like to receive AIX Security Advisories via email, please visit: https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team send email to security-alert@austin.ibm.com with a subject of "get key". The key can also be downloaded from a PGP Public Key Server. The key id is 0x3AE561C3. Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================